Generate Kubernetes Secret manifests safely
A Secret holds small amounts of sensitive data — passwords, tokens, TLS certificates, registry credentials — and makes it available to pods without baking it into images. This builder assembles a valid v1 Secret manifest, base64-encoding your values for the data field or leaving them plaintext under stringData.
How it works
The Kubernetes data field stores every value base64-encoded. The builder encodes your input using a UTF-8-safe routine so multi-byte characters survive correctly, which a naive btoa call would corrupt. If you prefer to author in plaintext, switch to stringData and the API server performs the base64 encoding when you kubectl apply.
The Secret type field tells Kubernetes what shape to expect. Opaque is the generic catch-all; typed Secrets such as kubernetes.io/tls validate that the required keys (tls.crt, tls.key) are present.
Common Secret types
| Type | Required keys | Typical use |
|---|---|---|
Opaque | Any | Generic API tokens, passwords, config |
kubernetes.io/tls | tls.crt, tls.key | TLS certificates for Ingress |
kubernetes.io/dockerconfigjson | .dockerconfigjson | Private registry pull credentials |
kubernetes.io/basic-auth | username, password | Basic auth credentials |
kubernetes.io/ssh-auth | ssh-privatekey | SSH private keys |
How pods consume Secrets
As environment variables:
env:
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-secret
key: password
As mounted files (preferred for TLS and large values):
volumes:
- name: tls
secret:
secretName: app-tls
containers:
- volumeMounts:
- name: tls
mountPath: /etc/tls
readOnly: true
Mounted Secrets are automatically updated when the Secret changes (with a short kubelet sync delay). Env var Secrets are baked in at pod startup and require a pod restart to pick up new values — this is a common operational gotcha.
Production security checklist
- Enable etcd encryption at rest — without it, every Secret in the cluster is readable by anyone with etcd access.
- Seal for GitOps — use Sealed Secrets or SOPS to encrypt manifests before committing; plain base64 in git is equivalent to plaintext.
- Prefer External Secrets Operator for cloud deployments — syncs from AWS Secrets Manager, GCP Secret Manager, or HashiCorp Vault, so the source of truth lives outside the cluster.
- RBAC least-privilege — grant
get/liston specific Secrets only to the ServiceAccount that needs them, never broad*on thesecretsresource. - Rotation — updating a Secret does not restart pods consuming it as env vars; you must roll the pods or use a sidecar agent (like Vault Agent) to reload credentials in place.